ragusa-it/nixos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden NixOS config defaults and setup guidance #4

Merged
Copilot merged 13 commits from copilot/review-nixos-setup-issues into main 2026-02-01 21:17:59 +00:00
Conversation 2 Commits 13 Files Changed 5 +5 -4
3 changed files with 5 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit f95c64168c - Show all commits

2
README.md
View File

@@ -63,7 +63,7 @@ Defaults are set in `flake.nix` and used across modules. Update them there:
| `time.timeZone` | `America/New_York` | `modules/common.nix` |
| `i18n.defaultLocale` | `en_US.UTF-8` | `modules/common.nix` |
Also rename the default `hosts/atlas/` directory to match your actual hostname, and ensure the same hostname is set in `flake.nix`.
Also rename the default `hosts/atlas/` directory to match your actual hostname, and ensure the same hostname is set in `flake.nix` (the flake uses it to locate `hosts/<hostname>/hardware-configuration.nix`).
### 3. Stage Files in Git

3
flake.nix
View File

@@ -41,7 +41,8 @@
username = "pinj";
lib = nixpkgs.lib;
hostConfig = ./hosts + "/${hostname}/hardware-configuration.nix";
specialArgs = { inherit inputs system hostname username; };
passwordHashPath = "/etc/nixos/secrets/${username}/password.hash";
specialArgs = { inherit inputs system hostname username passwordHashPath; };
copilot-pull-request-reviewer[bot] commented 2026-02-01 21:21:01 +00:00 (Migrated from github.com)
Review
Copy Link

The username validation regex allows usernames that consist only of underscores followed by other characters (e.g., "___abc"), but the second check builtins.match "^_+$" username == null only rejects usernames that are entirely underscores. According to standard Unix username conventions, usernames starting with underscore are typically reserved for system accounts. Consider strengthening the validation to reject any username starting with underscore unless that's intentionally allowed for system accounts.

      builtins.match "^[a-z][a-z0-9_]*$" username != null
The username validation regex allows usernames that consist only of underscores followed by other characters (e.g., "___abc"), but the second check `builtins.match "^_+$" username == null` only rejects usernames that are entirely underscores. According to standard Unix username conventions, usernames starting with underscore are typically reserved for system accounts. Consider strengthening the validation to reject any username starting with underscore unless that's intentionally allowed for system accounts. ```suggestion builtins.match "^[a-z][a-z0-9_]*$" username != null ```
# Verify mango flake exports the expected module
mangoModule = assert lib.hasAttrByPath [ "nixosModules" "mango" ] mango;

4
modules/common.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, inputs, system, hostname, username, ... }:
{ config, pkgs, inputs, system, hostname, username, passwordHashPath, ... }:
{
assertions = [
@@ -118,7 +118,7 @@
extraGroups = [ "wheel" "networkmanager" "video" "seat" ];
# IMPORTANT: Generate a password hash with: mkpasswd -m sha-512
# Save it to the path below (ensure permissions are 600)
hashedPasswordFile = "/etc/nixos/secrets/${username}/password.hash";
hashedPasswordFile = passwordHashPath;
packages = with pkgs; [
# -- Noctalia Shell --
inputs.quickshell.packages.${system}.default